Nine out of 10 financial and commercial websites contain flaws that could allow computer crooks to swindle users out of their cash, according to a new report.
A study released by UK-based computer consultants Next Generation Security (NGS) on Thursday, reveals that 90% of the 100 plus web applications audited by the company in the past year were potentially vulnerable to an advanced “phishing” scam.
Phishing involves duping a web user into handing over financial details or passwords for an online bank or e-commerce store, enabling the user's account to be raided.
The perpetrators will often send out fake administrative emails designed to lure people to a website that looks like that of a genuine bank, and has only a slightly different web address, where they are asked to provide account information.
However, the majority of flaws discovered by NGS did not involve fake sites. Instead, NGS most frequently found configuration errors that could be used to redirect sensitive information from a legitimate web site to a fraudulent one without the user knowing.
Known as a cross-site scripting attack, the trick uses a site's own server software to forward sensitive information, usually by embedding a link to another site in a complex hypertext link.
A further 30% of sites analysed by NGS were found to contain database vulnerabilities that could be used to access large amounts of personal information stored by a company. "It's pretty scary stuff," says Gunter Ollman, professional services director at NGS.
But he notes that these vulnerabilities can be fixed once they are detected. "Financial organisations do spend an awful lot of money on security," he told New Scientist. "However, when you look at the average e-retail site, they tend to be a lot worse."
Ollman points out that software designed to detect phishing stings may also miss cross-site-scripting scams because the user is not visiting a bogus website.
He also warns that phishing fraud is becoming ever more sophisticated. One of the latest tricks, for example, involves using fake banner advertisements to entice users to a fake bank site with the promise of a special promotion.
Peter Sommer, a computer crime expert at University College London, says phishing poses a huge problem for web companies. "I think it's a pervasive problem," he told New Scientist. "Banks are just going to have to spend some money to educate people."
Figures released in July 2004 from the Anti-Phishing Working Group, a consortium of US businesses set up to track and counter the issue, indicate that phishing attacks are increasing at a rate of 50% per month.
All comments should respect the New Scientist House Rules. If you think a particular comment breaks these rules then please use the "Report" link in that comment to report it to us.
If you are having a technical problem posting a comment, please contact technical support.
